WORM_DLOADR.SMM

 Modified by: Christopher Daniel So

 ALIASES:

VirTool:Win32/Injector.gen!AD (Microsoft), Backdoor.IRC.Bot (Symantec), BackDoor-EEF (McAfee), Net-Worm.Win32.Agent.bk (Kaspersky), Net-Worm.Win32.Kolab.gen (Sunbelt), W32/Injector.HMH!tr (Fortinet), W32/Downldr2.GLQI (FProt), Win32/IRCBot.AMC trojan (Nod32), Trj/Downloader.MDW (Panda), TR/Dropper.Gen (AntiVir), W32/Downldr2.GLQI (Authentium), Worm.Win32.Pushbot (Ikarus), Backdoor W32/Smalldoor.JZTO (Norman), Backdoor.SdBot.ovb (Quickheal)

 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via removable drives, Propagates via software vulnerabilities

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system. It uses a list of passwords to gain access to password-protected shares.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats. As of this writing, the said sites are inaccessible.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

PE

Memory Resident:

No

Initial Samples Received Date:

08 Sep 2009

Payload:

Compromises system security, Downloads files

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %Windows%\system\winrsc.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It drops the following component file(s):

  • %System%\drivers\sysdrv32.sys - detected by Trend Micro as RTKT_NEERIS.AH

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows System Monitor = "%Windows%\system\winrsc.exe"

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
WINSYSMON

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network\
WINSYSMON

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
WINSYSMON
(Default) = "Service"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network\
WINSYSMON
(Default) = "Service"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\system\winrsc.exe = "%Windows%\system\winrsc.exe:*:Microsoft Enabled"

Propagation

This worm drops copies of itself in the following shared folders:

  • c$\windows\system32
  • c$\winnt\system32
  • d$\windows\system32
  • d$\winnt\system32
  • Admin$
  • Admin$\system32

It drops the following copy(ies) of itself in all removable drives:

  • win.com

It uses the following file names for the copies it drops into shared networks:

  • eraseme_{random numbers}.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
shellexecute=win.com
action=Open folder to view files
shell\default=Open
shell\default\command=win.com
shell=default

It uses the following list of passwords to gain access to password-protected shares:

  • !@#$
  • !@#$%
  • 1111
  • 111111
  • 1234
  • 12345
  • 123456
  • 2000
  • 2001
  • 2002
  • 2003
  • 2004
  • 2005
  • 2006
  • 2007
  • 2009
  • 654321
  • 9999
  • abc123
  • admin
  • admin123
  • administrador
  • administrat
  • administrateur
  • administrator
  • admins
  • anonymous
  • apache
  • asdf
  • asdfgh
  • backup
  • changeme
  • changeme2
  • cisco
  • compaq
  • computer
  • database
  • debug
  • default
  • ftpd
  • fuck
  • gateway
  • guest
  • hello
  • home
  • httpd
  • internet
  • kids
  • login
  • love
  • mail
  • master
  • monitor
  • mssql
  • mypass
  • mypassword
  • mysql
  • netadmin
  • netman
  • network
  • none
  • operator
  • oracle
  • owner
  • pass
  • passwd
  • password
  • password123
  • private
  • public
  • pwpwd
  • qwerty
  • recovery
  • root
  • school
  • secret
  • secrets
  • security
  • server
  • serveradmin
  • service
  • staff
  • storage
  • student
  • superuser
  • support
  • sysadm
  • system
  • teacher
  • tech
  • temp
  • test
  • user
  • veritas
  • webadmin
  • windows
  • windowsxp
  • work
  • wwwadmin

Download Routine

This worm connects to the following malicious URLs:

  • http://www.{BLOCKED}btown.com/desktopz/bb.exe

As of this writing, the said sites are inaccessible.

NOTES:

Backdoor Routine

This worm opens the following ports:

  • 555

It executes the following command(s) from a remote malicious user:

  • download file
  • execute file

It connects to the following URL(s) to send and receive commands from a remote malicious user:

  • {BLOCKED}pcord.com

Other Details

This worm does the following:

  • This malware does not steal any information from the affected system.
  • It uses a random nick name and user name in connecting to the server mail.vspcord.com. It then joins the channel #x#.
  • It gets information about the configuration of the affected system. It then enumerates available IP addresses in the network. If found, it lists down the available user accounts and then forces its way to the network using a dictionary attack, which makes use of the above-mentioned passwords. The passwords are also used as user names in connecting to a target machine.
  • Upon successful network propagation, it creates a service to execute the drop file on the target system. It then deletes the created service once it has already been executed. If it fails to create a service, it will then try to create a scheduled task in the %Windows%\Tasks folder using the NetScheduleJobAdd API function to execute its dropped copy.
  • It takes advantage of the following vulnerability to propagate across networks:

  SOLUTION

Minimum Scan Engine:

8.900

VSAPI OPR PATTERN File:

6.517.00

VSAPI OPR PATTERN Date:

09 Oct 2009

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by WORM_DLOADR.SMM

Step 3

Identify and terminate files detected as WORM_DLOADR.SMM

[ Learn More ]
  1. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  2. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Windows System Monitor=%Windows%\system\winrsc.exe
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • %Windows%\system\winrsc.exe=%Windows%\system\winrsc.exe:*:Microsoft Enabled

Step 5

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
    • WINSYSMON
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
    • WINSYSMON

Step 6

Search and delete AUTORUN.INF files created by WORM_DLOADR.SMM that contain these strings

[ Learn More ]
[autorun]
shellexecute=win.com
action=Open folder to view files
shell\default=Open
shell\default\command=win.com
shell=default

Step 7

Scan your computer with your Trend Micro product to delete files detected as WORM_DLOADR.SMM. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 8

Download and apply these security patches Refrain from using these products until the appropriate patches have been installed. Trend Micro advises users to download critical patches upon release by vendors.

NOTES:


Did this description help? Tell us how we did.